David Fields

Q: How do I report a spoofed email address?

I received a bounceback message to my mac.com address which shows that my email address was spoofed AND that it was relayed through Apple's servers.

 

The message sent was not by me and the text of the message makes it very clear that it is an attempt at phishing private data. I would like to report this through proper channels within Apple to help prevent additional attempts.

Posted on Oct 11, 2012 6:06 AM

Close

Q: How do I report a spoofed email address?

  • All replies
  • Helpful answers

  • by simsboynton,Solvedanswer

    simsboynton simsboynton Jun 9, 2013 5:57 PM in response to David Fields
    Level 1 (14 points)
    iPhone
    Jun 9, 2013 5:57 PM in response to David Fields

    I am answering this question because I’ve recieved so many spoof/spam messages lately to my email address(es) at me.com.

     

    I decided to find out how to report them; here’s what I found out:

     

    Suspicious email messages can be forwarded to one of the following; 

     

    Make sure to include the long header. Long headers can be displayed using the menubar (see below)

    __email-long-header-navigation.jpg

     

     

    Then either copy & paste the long header or simply forward the entire message.

    Example of long header from a suspicious email:

      “From:   Kikki Howard <noreply@hakahakajkfbczj.googlemoogl.tk>

      Subject:   Kiss to you

      Date:   June 9, 2013 4:21:21 PM PDT

      To:   xxxxx@me.com

      Return-Path:   <noreply@hakahakajkfbczj.googlemoogl.tk>

      Received:   from nk11p00mm-smtpin004.mac.com ([xx.xxx.xxx.xxx]) by ms04574.mac.com (Oracle Communications Messaging Server 7u4-26.01(7.0.4.26.0) 64bit (built Jul 13 2012)) with ESMTP id <0MO5001Y5FJL6NL0@ms04574.mac.com> for xxxxx@me.com; Sun, 09 Jun 2013 23:21:21 +0000 (GMT)

      Received:   from hakahakajkfbczj.googlemoogl.tk ([91.191.18.62]) by nk11p00mm-smtpin004.mac.com (Oracle Communications Messaging Server 7u4-27.05(7.0.4.27.4) 64bit (built Apr 23 2013)) with SMTP id <0MO50002UFJJV0G0@nk11p00mm-smtpin004.mac.com> for xxxxx@me.com (ORCPT xxxxx@me.com); Sun, 09 Jun 2013 23:21:21 +0000 (GMT)

      Received:   from nwk-txn-msbadger0204.apple.com (nwk-txn-msbadger0204.apple.com. [xx.xxx.x.xx]) by xx.xxx.x.xx with HTTP; Mon, 10 Jun 2013 01:21:21 +0200

      Original-Recipient:   rfc822;xxxxx@me.com

      X-Proofpoint-Virus-Version:   vendor=fsecure engine=2.50.10432:5.10.8626,1.0.431,0.0.0000 definitions=2013-06-09_07:2013-06-08,2013-06-09,1970-01-01 signatures=0

      X-Proofpoint-Spam-Details:   rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=14 phishscore=0 bulkscore=53 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1305010000 definitions=main-1306090279

      Dkim-Signature:   v=1; a=rsa-sha256; c=simple/simple; d=hakahakajkfbczj.googlemoogl.tk; s=hakahakajkfbczj; h=from:subject:date:to:content-type; bh=tL+/wJmQOT1qfRAmSggBixqXyEIqt839Zb4SbOAPNOM=; b=…lggV4PzuGc/TkDUNdlU=;

      Message-Id:   <0D66EC23-70A1-D480-7514-D280D76FF040@apple.com>

      Mime-Version:   1.0 (Apple Message framework v936)

      Content-Type:   multipart/mixed; boundary="-4277442969-183115831-7904244676=:70228 ”

     

    You can find more info at:

  • by thomas_r.,

    thomas_r. thomas_r. Jun 10, 2013 4:21 AM in response to simsboynton
    Level 7 (30,924 points)
    Mac OS X
    Jun 10, 2013 4:21 AM in response to simsboynton

    Actually, Mr. Fields' problem was probably a hacked e-mail account at the time he posted last year. Reporting the message would not solve that problem.

  • by David Fields,

    David Fields David Fields Jun 10, 2013 5:50 AM in response to thomas_r.
    Level 1 (59 points)
    Safari
    Jun 10, 2013 5:50 AM in response to thomas_r.

    Actually, my account wasn't hacked; it was really being spoofed. I had the evidence of that through the Long Headers data. What I needed to know is how to report the spoofers to Apple to see if they could block or even black ice the perpetrator.

     

    Any email address can be spoofed, all it takes is for a bot to enter a machine where your email address is in their contacts list. By simply claiming to be from me AND putting my email address in the 'reply to' field, it guaranteed that I would receive any bounces. Fortunately, I received only a limited number of bounces because the machine used to generate the emails had a very restricted contacts list. I figured out who it was and got them to run their AV software, which discovered and killed the malware.

     

    Message was edited by: David Fields

  • by thomas_r.,

    thomas_r. thomas_r. Jun 10, 2013 6:10 AM in response to David Fields
    Level 7 (30,924 points)
    Mac OS X
    Jun 10, 2013 6:10 AM in response to David Fields

    If it was actually a spoof, reporting to Apple also would not help. Spoofed e-mail has forged headers, and even if you trace it back to the source, as your example demonstrates, that source is generally not helpful to report. Really, those reporting addresses are actually just for e-mail being sent from iCloud/MobileMe accounts so Apple can address that issue. There's very little they can do about any other spam.

  • by David Fields,

    David Fields David Fields Jun 10, 2013 6:32 AM in response to thomas_r.
    Level 1 (59 points)
    Safari
    Jun 10, 2013 6:32 AM in response to thomas_r.

    Agreed; but when it's happening you don't always know what's going on. Since nobody responded I dug a little deeper on my own and actually emailed everybody on my contacts list asking if their machines were acting strangely. As expected, it was a Windows machine that had been compromised.

  • by simsboynton,

    simsboynton simsboynton Jun 10, 2013 11:58 AM in response to thomas_r.
    Level 1 (14 points)
    iPhone
    Jun 10, 2013 11:58 AM in response to thomas_r.

    The spoof/spam emails I’ve been recieving have been sent to both my primary email address @me.com—which is also my Apple ID—as well as to a couple of @me.com aliases that aren't curently in use.

     

    I don’t have time or the necessary knowlegde to address anything beyond forwarding spam/spoof/phishing emails to someone who might; however, it was unduly difficult to find the correct email addresses to which such emails should be forwarded. Since it seemed like other people were having the same problem, I posted my findings. :)

     

    For what it’s worth, I’ve found 2 more email addresses to which spam/spoof emails can be forwarded:

     

    thanx!!

    ab/simsboynton